Tue, Oct 17, 2023 at 09:42:47AM CEST, idosch@xxxxxxxxxx wrote: >Each devlink instance is associated with a parent device and a pointer >to this device is stored in the devlink structure, but devlink does not >hold a reference on this device. > >This is going to be a problem in the next patch where - among other >things - devlink will acquire the device lock during netns dismantle, >before the reload operation. Since netns dismantle is performed >asynchronously and since a reference is not held on the parent device, >it will be possible to hit a use-after-free. > >Prepare for the upcoming change by holding a reference on the parent >device. > Just a note, I'm currently pushing the same patch as a part of my patchset: https://lore.kernel.org/all/20231013121029.353351-4-jiri@xxxxxxxxxxx/ >Signed-off-by: Ido Schimmel <idosch@xxxxxxxxxx> >Reviewed-by: Jiri Pirko <jiri@xxxxxxxxxx> >--- > net/devlink/core.c | 3 +++ > 1 file changed, 3 insertions(+) > >diff --git a/net/devlink/core.c b/net/devlink/core.c >index bcbbb952569f..5b8b692b8c76 100644 >--- a/net/devlink/core.c >+++ b/net/devlink/core.c >@@ -4,6 +4,7 @@ > * Copyright (c) 2016 Jiri Pirko <jiri@xxxxxxxxxxxx> > */ > >+#include <linux/device.h> > #include <net/genetlink.h> > #define CREATE_TRACE_POINTS > #include <trace/events/devlink.h> >@@ -310,6 +311,7 @@ static void devlink_release(struct work_struct *work) > > mutex_destroy(&devlink->lock); > lockdep_unregister_key(&devlink->lock_key); >+ put_device(devlink->dev); > kfree(devlink); > } > >@@ -425,6 +427,7 @@ struct devlink *devlink_alloc_ns(const struct devlink_ops *ops, > if (ret < 0) > goto err_xa_alloc; > >+ get_device(dev); > devlink->dev = dev; Nit: devlink->dev = get_device(dev); > devlink->ops = ops; > xa_init_flags(&devlink->ports, XA_FLAGS_ALLOC); >-- >2.40.1 > >
